Geek Answers Handbook

How to use hash authentication code (HMAC) with Android Keystore

I am studying using Android KeyStore for Marshmallow and above.

I would like to simultaneously verify data integrity and authentication of my data using HMAC.

How do I achieve this?

I am currently generating an encryption / decryption key as follows: -

mKeyStore = KeyStore.getInstance(keyStoreName); mKeyStore.load(mKeyStoreLoadStoreParameter); if (mKeyStore.containsAlias(keyStoreAlias)) { mSecretKey = (SecretKey) mKeyStore.getKey(keyStoreAlias, KEY_STORE_PASSWORD); } else { final KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, keyStoreName); final int keyPurpose = KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT; keyGenerator.init( new KeyGenParameterSpec.Builder(keyStoreAlias, keyPurpose) .setKeySize(KEY_STORE_KEY_SIZE) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setRandomizedEncryptionRequired(true) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .build()); mSecretKey = keyGenerator.generateKey();

I found this sample to generate

HMAC <
 SecretKey key = ...; // HMAC key of algorithm "HmacSHA512". KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); keyStore.load(null); keyStore.setEntry( "key1", new KeyStore.SecretKeyEntry(key), new KeyProtection.Builder(KeyProperties.PURPOSE_SIGN).build()); // Key imported, obtain a reference to it. SecretKey keyStoreKey = (SecretKey) keyStore.getKey("key1", null); // The original key can now be discarded. Mac mac = Mac.getInstance("HmacSHA512"); mac.init(keyStoreKey);

However, how can I use this when encrypting / decrypting my data?

EXPLANATION

I have a number of decisions / decisions that need to be made when implementing security / cryptography in any Android application.

one). Do I use cryptography of any type Yes or No? 2). If so, then ... I should try to reach the β€œmost” safe solution.

If I am going to use cryptography, then I need to provide the following.

but). I store passwords / secret keys in a "Safe Place", for example. Android Key Store. b) I use the "strongest" cryptography. from). I would like to simultaneously check both the integrity of the data and the authentication of my data, for example. I would like to determine if my encrypted data has been changed.

As I understand what I read about HMAC, they provide this functionality. I would like to know how I encode the use of HMAC in my Android application to ensure data integrity and authentication of my data.

+8
android cryptography keystore
source share
1 answer

You can apply HMAC to plain text HMAC(plain text) before encrypting and reconfiguring the HMAC after decryption to verify that the original message is the same.

This may be redundant, because if the encryption text is changed, you cannot decrypt it.

First create an HMAC key inside AndroidKeyStore . I found an example here

 KeyGenerator keyGenerator = KeyGenerator.getInstance( KeyProperties.KEY_ALGORITHM_HMAC_SHA256, "AndroidKeyStore"); keyGenerator.initialize( new KeyGenParameterSpec.Builder(hmacKeyAlias, KeyProperties.PURPOSE_SIGN).build()); SecretKey key = keyGenerator.generateKey();

Then apply the HMAC to the source data and save the result somewhere

 Mac mac = Mac.getInstance("HmacSHA256"); mac.init(key); byte hmacOriginalData[] = mac.doFinal(dataToEncrypt); //Store hmacOriginalData

After decryption, get the HMAC key from AndroidKeyStore, recheck the HMAC and verify that both macs are equal

 Key key = keyStore.getKey(hmacKeyAlias, null); Mac mac = Mac.getInstance("HmacSHA256"); mac.init(key); byte hmacDecryptedData[] = mac.doFinal(decryptedData); //Check equals(hmacDecryptedData, hmacOriginalData);
+6
source share

More articles:


All Articles